Welcome to AsiaBizTech Web Site

Top Page
Site Map
News at a Glance Member Services AsiaBizTech Resources

Advanced Search

(Nikkei BP Group)

(No.1 High-Tech News Site in Japanese)

  • Japan Center Unhappy with Unauthorized Access Proposals
  • December 4, 1998 (TOKYO) -- The Japan Network Information Center held an emergency meeting recently to debate inadequacies in two draft proposals for legislation that would control unauthorized access to computers.
    The draft proposals were published separately in November by the National Police Agency (NPA) and Ministry of Posts and Telecommunications (MPT).

    The purpose of the JPNIC debate was to solicit opinions from members about the two draft documents, with a view toward submitting a summary of comments to relevant ministries and agencies. A further aim was to provide JPNIC members with basic information about the proposed legislation and its objectives. Lawyers with specific knowledge of laws and regulations enacted in other countries also attended the meeting.

    During the three-hour debate, members mostly voiced their dissatisfaction at the excessive ambiguities in the draft documents. Among other things, they thought that "unauthorized access" was inadequately defined, and they commented on the lack of clarity about what needs to be recorded in access logs.

    For example, the NPA and MPT draft documents include the fraudulent use of an ID or password under the definition of "unauthorized access." But they do not make clear whether the action of acquiring such IDs or passwords, by means such as exhaustively attacking a server (brute-force attack), comes under the definition.

    In regard to keeping access logs, JPNIC members expressed doubts as to whether log files, which are text files that can easily be tampered with, constitute adequate evidence. One person made the following comment: "Of course, hackers will erase their traces from access logs when they abuse a server as a relay site. So it's nonsense to require the administrator of a vulnerable server to store logs."

    Apart from expressing dissatisfaction with the lack of specific detail in the documents, JPNIC members raised doubts about limiting the type of information protected under the legislation to IDs and passwords only. They also questioned the legal requirement to keep logs for three months and to report discovered incidents to the Public Safety Commission. One member said that "there must be lots of other things that ought to be done to deter hackers besides obliging administrators to keep logs."

    A show of hands indicated that most JPNIC members could neither agree nor disagree with the drafts in their present form in regard to the duty to keep logs, the adequacy of the three-month storage period, the "unauthorized access" definition and other matters.

    There was consensus in one aspect only: the vast majority of members opposed having to report discovered access attempts or break-ins to the Public Safety Commission.

    (Nikkei Communications)

    <Visit News Center for more Asian news.>

    Copyright © 1997-98
    Nikkei BP BizTech, Inc.
    All Rights Reserved.
    Updated: Thu Dec 3 17:07:11 1998 PDT